Experiencing a cyber attack or security breach? Contact Incident Response Team!

December 10, 2020 Incident Response

What is CPRA and How Does it Affect CCPA?

CDG

In November 2020, Californians voted to pass Proposition 24, also known as the California Privacy Rights Act (CPRA). With 56 percent of the vote, this legislation will act as an expansion of the California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020.

The California Consumer Privacy Act (CCPA), according to California Privacy Protection Agency, “gives consumers certain rights over the personal information businesses collect about them and requires businesses to inform consumers about how they collect, use, and retain their personal information.” When the CCPA passed, it was considered groundbreaking legislation that gave new control and protections to private citizens over their personal data — similar to the General Data Protection Regulation (GDPR) in Europe.

The California Consumer Privacy Act (CCPA) set the foundation to protect consumer data in California, granting individuals rights over their personal information. The California Privacy Rights Act (CPRA), passed by California voters, builds upon the CCPA by adding new protections and clarifications.

CCPA’s original impact

Since implementation, the CCPA has helped individuals have greater transparency and power over their online footprint. Some protections the CCPA included were:

  • The right to know about the personal information a business collects about them and how it is used and shared;
  • The right to delete personal information collected from them (with some exceptions);
  • The right to opt-out of the sale of their personal information; and
  • The right to non-discrimination for exercising their CCPA rights.

CPRA’s expanded impact for consumers

The California Privacy Rights Act (CPRA) went into effect on January 1, 2023 and “amended the CCPA by adding additional consumer privacy rights and obligations for businesses” (California Privacy Protection Agency). CPRA introduces additional categories of sensitive personal information, including data related to an individual’s religious or philosophical beliefs. This extension aims to protect consumer data more comprehensively, ensuring that companies handle such sensitive information with greater care.

Under CPRA, consumers have expanded rights to control their personal information. This includes the right to know, delete, and correct their information, as well as to limit the use and sharing of sensitive data, such as financial account details. Businesses are required to provide clear mechanisms for consumers to exercise these rights.

The California Privacy Protection Agency lays out California residents rights using a LOCKED acronym:

  • L – Right to LIMIT the use and disclosure of sensitive personal information collected about them.
  • O – Right to OPT-OUT of the sale of their personal information and the right to opt-out of the sharing of their personal information for cross-context behavioral advertising.
  • C – Right to CORRECT inaccurate personal information that businesses have about them.
  • K – Right to KNOW what personal information businesses have collected about them and how they use and share it.
  • E – Right to EQUAL treatment. Businesses cannot discriminate against consumers for exercising their CCPA rights.
  • D – Right to DELETE personal information businesses have collected from them (subject to some exceptions).

CPRA’s expanded impact for businesses

list, checklist, paper

With the introduction of the California Privacy Rights Act (CPRA), businesses are facing more stringent regulations on how they handle consumer data. This new legislation builds upon the CCPA, expanding protections for sensitive personal information and imposing stricter requirements for data collection, sharing, and security practices. As a result, companies must adapt to these enhanced privacy standards to ensure compliance and protect consumer trust.

Data collection and sharing

The CPRA imposes stricter rules on businesses regarding the collection and sharing of consumer’s personal information. Companies must disclose if they collect personal information and their data collection practices, including the types of personal information collected, such as financial account data or details about religious or philosophical beliefs, and the purposes for which this data is used.

Data security and breach notifications

The CPRA enhances security requirements, compelling businesses to implement reasonable safeguards to protect consumer data from data breaches. In the event of a breach, companies are obligated to notify affected consumers promptly, ensuring transparency and accountability in the protection of personal information.

Sharing and selling data

One of the significant changes introduced by the CPRA is the restriction on sharing consumers’ personal information, especially sensitive data. Businesses are now required to offer consumers the option to opt out of having their personal information shared with third parties, further strengthening consumer privacy rights.

Business implications

Companies that collect consumers’ personal information must comply with the new regulations set forth by the CPRA. This includes reassessing their data handling practices, updating privacy policies, and ensuring proper consent mechanisms are in place.

Due to businesses being required to give consumers notice explaining their privacy practices, and what they do with that data, companies have been legally forced to re-evaluate and update their policies. The CPRA has strengthened some of the measures and end goals of the CCPA legislation and moves California’s privacy law into closer alignment with Europe’s standards.

CPRA went into effect on January 1, 2023, but applied to personal information collected by businesses on or after January 1, 2022. This gave businesses one year to rework and implement privacy policies that adhere to the new legislation.

Beyond the LOCKED acronym above, there are some key points of new additions, definitions, and limitations both consumers and business should be made aware of within the CPRA:

  • New sub-category of “sensitive” personal information 
  • New definition of “third party”
  • New definition of (and partial limitation on) “profiling” 
  • Limits data retention and requires disclosure of retention periods
  • Adds a right to limit the use and disclosure of Sensitive PI
  • Adds a right to correct inaccurate PI
  • Extends consumer’s opt-out rights to the sharing of PI for cross-contextual advertising 
  • Extends the non-discrimination provision to include non-retaliation 
  • Adds contract requirements for all persons that receive PI
  • Increases administrative fines for children’s PI
  • Requires opt-In consent for sharing PI of children under 16
  • Requires a new rule making on insurance 
  • Requires a new rule making on cybersecurity and privacy
  • Extends the scope of the private right of action 

The California Privacy Protection Agency’s impact

One of the biggest components of the CPRA legislation is the immediate creation of the California Privacy Protection Agency. This agency is responsible for enforcing consumer protection laws and ensuring fines and penalties are administered to the respective violators. This agency makes California the first U.S. state with a consumer privacy regulating body.

How to comply with CPRA

Businesses need to act without delay to ensure they are complying with the policy changes going into effect. Consulting with both a legal and cybersecurity team is essential to building a safe and accurate consumer privacy policy for your business.

Here are the steps we recommend the following:

Step 1

Commit to a cybersecurity program. The best way to avoid a state audit is to proactively commit to a cybersecurity program that secures PI within your online environment.

Step 2

Obtain board-level support of CPRA. Executive support will help align both the business and technical sides of the organization and ensure that you are in alignment minimizing potential gaps.

Step 3

Prioritize level of effort through a Gap Analysis.

Step 4

Ensure you have a list of all of your assets and map a data flow.

Step 5

Create policies, procedures, and processes to effectively manage CPRA.

Step 6

Implement a security program to secure personal information or partner with a firm like Cyber Defense Group for security advisory services.

Step 7

Ensure proper employee communication and training is completed.

Step 8

Monitor and audit for compliance regularly. Assessments should be created annually.

If you are looking for a trusted partner who understands the California Privacy Rights Act (CPRA), the California Consumer Privacy Act (CCPA) and how to implement the new privacy policies, the experts at Cyber Defense Group can help. We are dedicated to delivering cybersecurity programs that are as dynamic and forward-thinking as the businesses we serve. Schedule a free consultation today to learn more.

Take the first step towards cyber resilience.

Get a security assessment today!

Get in Touch